LDAP for an internet project. Part 2
Links to other parts: first , third , fourth , fifth .
I continue the story.
Let me remind you that in the first part we installed OpenLDAP on two servers and set up replication between them.
2. Set up backups, since it’s not so difficult.
For backup I use the bacula system. I will leave the installation and configuration of the “server” Director and Storage modules outside of this article, focusing on client configuration.
Install:
Edit /etc/bacula/bacula-fd.conf Create the necessary directories: To unload the dump, we need the following script:
It is not necessary to compress the file - bacula will do this.
To delete it after the backup, we make another script: Restart bacula-fd: On the server backup.habr.ru in the file /etc/bacula/director.conf Add about the following Restart the bacula-dir configuration: You can check the operation through bconcole. 3. We put a convenient web-based administration panel - phpldapadmin. The phpldapadmin package is already installed with us, if it is, we install it via apt: It will install its Apache config in /etc/apache2/conf.d/phpldapadmin and after rebooting httpd will be available at habr.ru/phpldapadmin I recommend that you immediately lift it on a separate virtual host like ldap01.habr.ru and with SSL.
Next, we will be interested in the phpldapadmin config: /etc/phpldapadmin/config.php.
We change the lines in it: After which you can go to our admin panel by specifying cn = admin, dc = habr, dc = ru and password in the corresponding field in the Login field. Further we need to create organizationalUnit for users, and organizationalUnit for groups. I do not create my own scheme and use two standard templates for users: posixAccount for users who must have shell access to servers and simpleSecurityObject for everyone else. To simpleSecurityObject, I usually add a description attribute to which I write the name and contacts. It will also be logical to create simpleSecurityObject users in one organizationalUnit and posixAccount in another.
I create groups based on the groupOfUniqueNames template, and add users as uniqueMember.
We will try all this kitchen in action in the next part of the article.
That's all for today, thanks for watching.
I continue the story.
Let me remind you that in the first part we installed OpenLDAP on two servers and set up replication between them.
2. Set up backups, since it’s not so difficult.
For backup I use the bacula system. I will leave the installation and configuration of the “server” Director and Storage modules outside of this article, focusing on client configuration.
Install:
bacula-fd
Edit /etc/bacula/bacula-fd.conf Create the necessary directories: To unload the dump, we need the following script:
cat > /etc/bacula/bacula-fd.conf << "EOF"
Director {
Name = backup.habr.ru-dir
Password = "<пароль, указанный в конфиге Director>"
}
FileDaemon {
Name = ldap01.habr.ru-fd
FDport = 9102 # where we listen for the director
WorkingDirectory = /var/lib/bacula
Pid Directory = /var/run/bacula
Maximum Concurrent Jobs = 20
#если хотите чтобы демон работал только на внутреннем интерфейсе, раскомментируйте следующую строку
# FDAddress = 192.168.100.1
}
Messages {
Name = Standard
director = bkp01.habr.ru-dir = all, !skipped, !restored
}
EOF
mkdir /root/scripts /var/backups/openldap
cat > /root/scripts/ldap_backup.sh << "EOF"
#!/bin/sh
/usr/sbin/slapcat > /var/backups/openldap/habr.ru.ldif
EOF
It is not necessary to compress the file - bacula will do this.
To delete it after the backup, we make another script: Restart bacula-fd: On the server backup.habr.ru in the file /etc/bacula/director.conf Add about the following Restart the bacula-dir configuration: You can check the operation through bconcole. 3. We put a convenient web-based administration panel - phpldapadmin. The phpldapadmin package is already installed with us, if it is, we install it via apt: It will install its Apache config in /etc/apache2/conf.d/phpldapadmin and after rebooting httpd will be available at habr.ru/phpldapadmin I recommend that you immediately lift it on a separate virtual host like ldap01.habr.ru and with SSL.
cat > /root/scripts/ldap_backup_clean.sh << "EOF"
#!/bin/sh
rm /var/backups/openldap/habr.ru.ldif
EOF
/etc/init.d/bacula-fd restart
cat >> /etc/bacula/director.conf << "EOF"
Client {
Name = ldap01.habr.ru-fd
Address = 192.168.100.1
FDPort = 9102
Catalog = MyCatalog
Password = "пароль из первого конфига"
File Retention = 30 days
Job Retention = 6 months
AutoPrune = yes
}
FileSet {
Name = "ldap"
Include {
Options {
signature = MD5
}
File = /var/backups/openldap/
}
}
Job {
Name = "ldap01.habr.ru-system"
Client = ldap01.habr.ru-fd
JobDefs = "DefaultJob"
FileSet = "ldap"
Write Bootstrap = "/var/lib/bacula/ldap01.habr.ru-log.bsr"
ClientRunBeforeJob = "/root/scripts/ldap_backup.sh"
ClientRunAfterJob = "/root/scripts/ldap_backup_clean.sh"
}
EOF
/etc/init.d/bacula-dir reload
apt-get install phpldapadmin
Next, we will be interested in the phpldapadmin config: /etc/phpldapadmin/config.php.
We change the lines in it: After which you can go to our admin panel by specifying cn = admin, dc = habr, dc = ru and password in the corresponding field in the Login field. Further we need to create organizationalUnit for users, and organizationalUnit for groups. I do not create my own scheme and use two standard templates for users: posixAccount for users who must have shell access to servers and simpleSecurityObject for everyone else. To simpleSecurityObject, I usually add a description attribute to which I write the name and contacts. It will also be logical to create simpleSecurityObject users in one organizationalUnit and posixAccount in another.
$ldapservers->SetValue($i,'server','name','Habrahabr');
$ldapservers->SetValue($i,'server','host','ldap01.habr.ru');
$ldapservers->SetValue($i,'server','base',array('dc=habr,dc=ru'));
I create groups based on the groupOfUniqueNames template, and add users as uniqueMember.
We will try all this kitchen in action in the next part of the article.
That's all for today, thanks for watching.